Correspondent and intermediary relationships in the investment sector - Thematic Review 2025

Correspondent and intermediary relationships in the investment sector Thematic Review - 2025 Published: 15 December 2025

2 Contents Glossary of Terms....................................................................................................................................... 3 Executive Summary .................................................................................................................................... 4 Summary of Areas to Consider ....................................................................................................................... 6 Section 1: Background................................................................................................................................ 7 1.1 What is a regulated intermediary? ..............................................................................................................7 1.2 How does the Handbook account for regulated intermediaries? ................................................................7 1.3 Use of regulated intermediaries in the Bailiwick .......................................................................................7 1.4 Rationale for the thematic review...............................................................................................................8 1.5 Scope and approach of the thematic review ...............................................................................................9 Section 2: Thematic Findings ................................................................................................................... 10 2.1 Misclassification of regulated intermediaries...........................................................................................10 2.2 Risk assessments ......................................................................................................................................11 2.3 Regulated intermediary written confirmations.........................................................................................14 2.4 Compliance monitoring programme.........................................................................................................17 2.5 Central securities depositories..................................................................................................................17 2.6 Board risk understanding..........................................................................................................................19 Section 3: Conclusion and Next Steps...................................................................................................... 21 Appendix 1: Intermediary and Correspondent Relationships Flowchart.................................................. 22

3 Glossary of Terms AML – Anti-Money Laundering. Appendix C – A list of countries or territories in the Handbook which the Commission considers requires regulated financial services businesses to have in place measures consistent with the FATF Recommendations. Bailiwick – Bailiwick of Guernsey. Board – Board of directors (or the senior management where the licensee is not a body corporate). CDD – Customer Due Diligence. CSD – Central Securities Depository CFT – Countering the Financing of Terrorism. Correspondent Relationship – is a business relationship between the firm (correspondent), with an intermediary (respondent) which is a regulated financial services business. In such cases the customer of the respondent would not be considered the customer of the correspondent as per section 8.6 of the Handbook. Commission – Guernsey Financial Services Commission. CPF – Countering the Financing of Proliferation of Weapons of Mass Destruction. ECDD – Enhanced Customer Due Diligence. FATF – Financial Action Task Force. Firm – A financial services business licensed under the Protection of Investors (Bailiwick of Guernsey) Law, 2020 subject to the requirements of Schedule 3 and the Handbook. Handbook – The Handbook on Countering Financial Crime (AML/CFT/CPF). Intermediary Relationship - is where the firm enters into a business relationship with an intermediary, which is a regulated financial services business in an Appendix C jurisdiction who is acting for, or on behalf, of its customers, and where the business relationship the firm has is with the intermediary and not the intermediary’s customers, and the risk of the relationship is assessed as low risk as per section 9.8 of the Handbook. ML – Money Laundering. MLCO – Money Laundering Compliance Officer. PEP – Politically Exposed Person. PF – Proliferation Financing. Regulated Intermediary – A regulated financial services business, which acts in its own name and exercises control over the investment for, or on behalf, of its customers. SAR – Suspicious Activity Report. TF – Terrorist Financing.

4 Executive Summary In the first half of 2025, the Commission conducted onsite visits to firms in the investment sector to assess the effectiveness of firms’ monitoring of, and compliance with, the intermediary and correspondent relationship requirements of the Handbook on Countering Financial Crime (AML/CFT/CPF) (the “Handbook”). An analysis of data provided by 131 firms (as of 14 October 2024) was used to select the 30 firms with the greatest number of intermediary/correspondent relationships for onsite assessment by the Commission. Onsite visits consisted of a review of firms’ business risk assessments, policies procedures and controls, compliance monitoring programmes, and management information, as well as reviews of up to ten regulated intermediary files. This was supplemented with interviews of the firms’ Money Laundering Compliance Officer (“MLCO”) and a representative of the Board in order to gain further insight into the control framework and risk perceptions. Regulated intermediaries play a vital role in the global securities markets allowing firms to provide select products and services to a wider range of underlying customers than would be practical through direct onboarding. However, as the firm does not have a direct relationship with the regulated intermediary’s customers, there exists an elevated financial crime risk that the regulated intermediary is being used to mask the identity of an underlying customer for criminal purposes. This risk has recently come to the forefront with the application of Russian targeted financial sanctions, where we have seen examples of Russian designated persons using intermediaries to hide their identity. Firms will often interact with regulated intermediaries, which may provide services on behalf of the firm to a person or entity who is the customer of the firm, a customer of the regulated intermediary or a customer of both. The relationship between the firm and the regulated intermediary is generally regarded to be similar to a correspondent banking relationship where the firm, is the correspondent, for providing investment services to the regulated intermediary, who is the respondent. This is known as a correspondent relationship. This approach is endorsed by the Financial Action Task Force (“FATF”) in its guidance for the securities sector1 . The Handbook allows a firm to act as a correspondent and to treat the regulated intermediary as its customer without having to drill down and identify the customers of the regulated intermediary (who is the respondent). However the Handbook draws a distinction on how much due diligence a firm should apply to the regulated intermediary which is dependent on the location of the regulated intermediary and on the level of risk. If the regulated intermediary is located in a jurisdiction on Appendix C and the relationship with the regulated intermediary has been assessed as low risk by the firm, the firm may apply simplified due diligence in line with the intermediary relationship provisions in the Handbook. If the relationship is not assessed as low risk or the regulated intermediary 1 https://www.fatf-gafi.org/content/dam/fatf-gafi/guidance/RBA-Securities-Sector.pdf.coredownload.pdf

5 is not located in a jurisdiction on Appendix C, it can either identify and verify the intermediary’s customers, or treat the intermediary as a correspondent relationship under the Handbook and perform enhanced customer due diligence (“ECDD”). In the Bailiwick’s recent mutual evaluation, Moneyval raised concerns that the investment sector was not cognisant of the risks of regulated intermediaries, had misinterpreted the customer due diligence (“CDD”) obligations to be applied to regulated intermediaries, and recommended that the Commission should make further efforts to monitor and ensure the proper application of simplified due diligence to regulated intermediaries. The Commission reviewed the records of 244 regulated intermediaries, with the majority of firms having conducted thorough and effective risk assessments and 96% of firms holding written confirmations from the regulated intermediary as to the adequacy of its financial crime policies, procedures, and controls2 . Nonetheless, as a result of the thematic we did impose risk mitigation programmes on two firms, with another two already being subject to risk mitigation programmes which included the intermediary relationship provisions. Moreover, we identified six areas for improvement which all firms that use the intermediary and correspondent relationships provisions should take note of, which are summarised below and covered in greater detail within the body of the report. The areas for improvement identified, to some extent, support Moneyval’s concerns. We wish to thank those firms that participated in the thematic review through the completion of the thematic questionnaire, together with those that also participated in the onsite visits. The Commission will consider how firms have incorporated the findings from this report as part of its ongoing supervision. Moreover, we will also consider what additional guidance can be given in the Handbook in relation to both intermediary and correspondent relationships, taking into account not only these findings, but also what measures are applied in other international financial centres. 2 Note that a small number of firms were excluded from statistical analysis and reporting due to identifying that the reported intermediaries had been incorrectly classified as such. For example, some were incorrectly classifying collective investment schemes as intermediaries.

6 Summary of Areas to Consider Area 1: Misclassification of Intermediary Relationships (Page 11) Issue: Some firms were using the intermediary relationship provisions where this was not appropriate, such as when the regulated intermediary was not located in an Appendix C jurisdiction or not assessed as low risk. Action: Firms should review their intermediary relationships to ensure that the provisions are appropriately applied where the customer is determined to be a regulated intermediary in line with section 9.8 of the Handbook. Area 2: Risk Assessments (Page 14) Issue: Some firms were unable to assign a low risk rating in their systems because internal policies, procedures, and controls mandated that no business relationship be rated low risk. Secondly, some firms did not document in the relationship risk assessment how they had discounted adverse information and why a low risk rating remained appropriate. Thirdly, it was not always evident from the relationship risk assessment as to the intended purpose and nature of the intermediary relationship. Action: Firms should ensure that risk assessments completed for intermediary relationships take into account all relevant risk factors and that it is only relationships where the risk is rated as low that they can continue to be classed as intermediary relationships. Area 3: Intermediary Relationships Written Confirmations (Page 16) Issue: Some written confirmations from regulated intermediaries did not contain all attestations required by Handbook rule 9.47. Action: Firms should ensure that written confirmations from the regulated intermediary meet the requirements of Handbook rule 9.47 in full and document consideration of how the requirements are met if the wording does not fully align. Area 4: Compliance Monitoring Programme (Page 17) Issue: In certain instances, intermediary relationships were not tested as part of the compliance monitoring programme, leading to non-compliance with section 9.8 of the Handbook. Action: Firms should ensure that regulated intermediary files, policies, and procedures are tested as part of the compliance monitoring programme, with focus on the specific Handbook requirements for intermediaries. Area 5: Central Securities Depositories (Page 18) Issue: The majority of central securities depositories such as Euroclear and Clearstream are currently categorised by firms as intermediary relationships under section 9.8 of the Handbook, when they are unable to provide the written confirmations required by Handbook rule 9.47. Action: In order to treat the central securities depositary as the customer, rather than its underlying customers, it should be reclassified as correspondent relationships in line with section 8.6 of the Handbook3 . Area 6: Board Risk Understanding (Page 20) Issue: In certain instances, there was no reference to the inherent risks associated with regulated intermediaries in the business risk assessments. Action: Firms should ensure that they carry out and document suitable and sufficient business risk assessments for money laundering (“ML”), terrorist financing (“TF”) and proliferation financing (“PF”), which consider all the relevant risk factors and management information available, and are specific to the firm, including the risk associated with regulated intermediaries if applicable. 3 Note: This is also in line with guidance issued by Clearstream on AML and KYC for investment funds: https://www.clearstream.com/resource/blob/1969580/28581c0345c41db7a5b973fe0f7f8fd6/aml-kyc-data.pd

7 Section 1: Background 1.1 What is a regulated intermediary? In the provision of their products and services, firms will often interact with regulated intermediaries, which may provide services on behalf of the firm to a person or entity who is the customer of the firm, a customer of the regulated intermediary or a customer of both. There are a variety of intermediary roles in the investment sector, however the focus of this thematic review were those intermediaries which are regulated and supervised by a supervisory authority for investment business and make investments into a collective investment scheme or similar, acting in their own name and as registered owner of the shares/units. 1.2 How does the Handbook account for regulated intermediaries? Dependent on the assessed risk of the relationship, these types of arrangements can either be onboarded under the intermediary relationship provisions in section 9.8 of the Handbook, or under the correspondent relationship provisions in section 8.6 Handbook. If the firm has assessed the ML/TF/PF risks of the relationship with the regulated intermediary as low, it may, subject to certain criteria being met and only in respect of certain qualifying products and services, treat the regulated intermediary as its customer for CDD purposes as per section 9.8 of the Handbook. However, if the firm has assessed the risk of the intermediary relationship as other than low, then it has the ability to use the correspondent relationship provisions in Section 8.6, but the relationship must be classed as high risk and ECDD measures applied. Historically, firms in Guernsey have solely used the intermediary relationship provisions in section 9.8 of the Handbook, but there has been increased use of the correspondent relationships provisions in certain cases, such as a regulated intermediary being resident in a jurisdiction on the FATF “Grey List” 4 and consequently no longer listed as an Appendix C jurisdiction. 1.3 Use of regulated intermediaries in the Bailiwick The results of the thematic review survey indicated that approximately £42 billion of assets under management (“AUM”) are held through regulated intermediaries within the Bailiwick across forty-eight investment firms5 predominantly in the open-ended collective investment scheme (“CIS”) sector. The Commission has been collecting statistics on the use of regulated intermediaries since the first Financial Crime Risk Return in 2015, in particular on the number and geographic location of regulated intermediaries being used. We have noted a downward trend in the use of regulated intermediaries, and we expect this trend to continue as regulated intermediaries do not tend to be used in closed-ended schemes where we see more growth in AUM in the Bailiwick. The reason being is that 4 FATF’s List of Jurisdictions under Increased Monitoring. 5 Data taken from the Thematic Review Questionnaire as of 14 October 2024.

8 closed-ended schemes are usually marketed directly to high net worth individuals and institutions rather than through regulated intermediaries. The United Kingdom and Switzerland collectively account for just over half of the intermediary relationships in the investment sector. Guernsey and Luxembourg intermediaries also feature highly. Figure 1: Top ten jurisdictions by percentage of intermediary relationships as at 30 June 2025 1.4 Rationale for the thematic review In the Bailiwick’s recent mutual evaluation, Moneyval raised concerns that the investment sector was not cognisant of the risks of regulated intermediaries, had misinterpreted the AML/CFT/CPF obligations to be applied to regulated intermediaries, and recommended that the Commission should make further efforts to monitor and ensure the proper application of simplified due diligence on regulated intermediaries, therefore, a thematic review of firms’ regulated intermediary risk mitigation measures and controls was undertaken. The ultimate objective of the thematic was to assess the extent to which firms were correctly applying the intermediary relationship and correspondent relationship provisions and to determine whether any changes to the regulatory framework were necessary. The thematic review was an opportunity for the Commission to review and assess the following key areas: • Are firms only using the intermediary relationship provisions in the Handbook in low risk situations? • What risk factors do firms consider when assessing the risk of regulated intermediaries and are these adequately documented?

9 • Are firms only accepting regulated intermediaries from Appendix C jurisdictions? If not, what additional measures are firms taking, such as applying the correspondent relationship measures in section 8.6 of the Handbook. • What CDD measures do firms apply to the regulated intermediary? • What compliance monitoring checks are undertaken in relation to regulated intermediary and are they considered effective? • What management information are Boards receiving in relation to regulated intermediary? • As a delivery channel for a product or service, the extent to which regulated intermediary arrangements are assessed within the firm’s ML/TF and PF business risk assessments; and the risks commonly identified by firms with them. 1.5 Scope and approach of the thematic review The thematic comprised a review of firms in the investment sector, including Designated Administrators, Asset Managers, Designated Custodians, and Investment Intermediaries. 131 firms completed a questionnaire on their intermediary and correspondent relationships. The questionnaire aimed to determine the size, type and nature of the Bailiwick’s intermediary and correspondent relationships, as well as the current state of the mitigants and controls implemented by firms. Of the fifty-two firms that had one or more intermediary relationships, thirty firms with the highest number of intermediary relationships were selected for review across a range of sub-sectors shown in Figure 2. For each of these firms, the Commission reviewed the business risk assessments, policies, procedures and controls, compliance monitoring programmes, management information and registers of regulated intermediaries. From the Figure 2: Firms visited as part of the thematic review by sub-sector. Open-ended Fund Administrator 40% Closed-ended Fund Administrator 36% Asset Manager 10% Investment Bank 7% Investment Intermediary 7%

10 registers provided, a maximum of ten regulated intermediary files were selected for review during the onsite visit, contingent upon the total number maintained by the firm. For each intermediary selected, the following were examined: the risk assessment, the qualifying products and services, the format and content of the written confirmation from the firm and the application of any additional intermediary-related criteria considered appropriate by the firm. Following completion of the file reviews, a meeting was held with the MLCO and a representative of the Board of the firm to assess the firm’s understanding of the specific risks associated with regulated intermediaries. Written feedback has not been provided to participating firms on an individual basis, other than where areas of concern needing clarification or remedial action requiring the imposition of risk mitigation programmes were identified. Section 2: Thematic Findings 2.1 Misclassification of regulated intermediaries A limited number of firms inaccurately classified certain regulated intermediaries. These cases arose from misunderstandings of the regulated intermediary definitions in the Handbook, as well as erroneous categorisation of collective investment schemes6 as intermediary relationships. There were also a small proportion of firms who treated non-Appendix C customers or non-low risk business relationships as intermediary relationships under section 9.8 of the Handbook. For these, firms should apply the correspondent relationship provisions in section 8.6 of the Handbook, or onboard the underlying customers directly. This is covered in greater detail in the “Risk Assessments” section. A number of intermediary relationships were reclassified following completion of the thematic questionnaire. Several firms demonstrated helpful practice by informing the Commission of these changes prior to the onsite visit, enabling the selection of alternative client files. This indicates that completing the thematic questionnaire prompted reviews of existing intermediary relationships among certain firms, facilitating the identification of incorrect classifications or the need for updated CDD. 6 Section 9.5 of the Handbook sets out the CDD measures to be applied to a collective investment scheme authorised or registered by the Commission.

11 Good Practice: Identification and reporting of intermediaries While many firms had sufficient policies procedures and controls to guide staff in the identification and requirements around regulated intermediaries, one firm visited by the Commission made use of a visual flow-chart to guide staff. This provided additional guidance taking a staff member through each of the considerations that need to be made when determining whether a customer can be treated as a regulated intermediary under section 9.8 of the Handbook. An example of a similar flow-chart can be found in Appendix 1. Other examples of good practice observed included requiring intermediary relationships to be signed off by the compliance team, as well as maintaining a separate register of intermediary customers in order to ensure consistent reporting of intermediary relationships to both the Board and the Commission. Area to Consider: Misclassification of intermediary relationships Action: Firms should review their intermediary relationships to ensure that the provisions are appropriately applied where the customer is determined to be a regulated intermediary in line with section 9.8 of the Handbook. 2.2 Risk assessments Rule 9.43 of the Handbook states that, before establishing an intermediary relationship, the firm must undertake a relationship risk assessment of the proposed business relationship with the regulated intermediary, and such an assessment will allow the firm to determine the risk in placing reliance on the regulated intermediary. In order to determine the risk in placing reliance on a regulated intermediary, relationship risk assessments should consider the requirements of rules 9.46 to 9.50 of the Handbook. Rule 9.46 states that, when establishing an intermediary relationship, the firm must apply CDD measures to the regulated intermediary to ensure that the regulated intermediary is either: (a) An Appendix C business; or (b) A wholly owned nominee subsidiary of an Appendix C business which applies the policies, procedures, and controls of, and is subject to oversight from, the Appendix C business; excluding a trust and corporate service provider unless that trust and corporate service provider is licensed under the Regulation of Fiduciaries, Administration Businesses and Company Directors, etc. (Bailiwick of Guernsey) Law, 2020. Once this condition has been met, firms must ensure that all other relevant risk factors have been considered before arriving at a final risk rating. In order to use the intermediary relationship provisions in section 9.8 of the Handbook,

12 firms must be comfortable that the risk is low. This was an area highlighted within the Bailiwick’s 2025 Moneyval report which found that some firms misapplied simplified due diligence by relying solely on the intermediary being licensed in an Appendix C jurisdiction, without properly assessing the risks of their customer base. It is positive that the vast majority of firms visited provided appropriately structured and adequate relationship risk assessments for their intermediary relationships during the thematic onsite visits. The Commission identified four firms with relationship risk assessments that did not assess all relevant risk factors, requiring remedial action as part of wider risk mitigation programmes. We observed good practice where some firms used intermediary-specific relationship risk assessment forms, which considered a range of risk factors as highlighted in figure 3: If a relationship does not fit into either an intermediary or correspondent classification, a firm must identify and verify the identity of the underlying customers. Point of Note: Risk factors It was observed that the majority of relationship risk assessments reviewed ensured that the regulated intermediary was from an Appendix C jurisdiction, written confirmations had been provided by the regulated intermediaries as to adequacies of its CDD measures and that a low risk rating was appropriate. However, the following three areas of concern were identified: Wolfsberg Questionnaire (if used) Sanctions Controls Written PEP controls Confirmations Adverse Media Proof of Regulation Appendix C Jurisdiction Personal Asset Holding Vehicles Intermediary Risk Assessment Not low risk Low risk Relationship can be treated as an intermediary. Relationship must be treated as a correspondent and ECDD undertaken*. Figure 3: Risk factors to consider within an intermediary risk assessment.

13 ➢ Whilst no high risk factors were identified, some firms were unable to assign a low risk rating because of internal policies, procedures and controls not enabling a relationship to be assessed as low risk in their systems, even when appropriate. To counter this, firms could change their policies, procedures and controls. ➢ As a matter of course, firms were undertaking adverse media screening of regulated intermediaries and on occasion identifying adverse information as a risk factor. However, some firms did not document in the relationship risk assessment how they had discounted that adverse information and why a low risk rating remained appropriate. ➢ It was not always evident from the relationship risk assessment as to the intended purpose and nature of the intermediary relationship and how this factor impacted the rating given. Case Study: Failure to reference and document adverse media on the relationship risk assessment One firm exhibited poor practice in its approach to documenting adverse media findings. One of the firm's regulated intermediaries had generated an adverse media hit during searches, which was duly recorded on the firm's internal adverse media record form. This alert highlighted a reprimand issued to the regulated intermediary owing to inadequate AML/CFT controls and a failure to investigate large, high-risk transactions. Notwithstanding the documentation of this information, the firm had omitted to include this adverse media on the relationship risk assessment form or to provide a rationale for why it had been discounted. The relationship was still rated as low risk, and this rating appeared to rely solely on the regulated intermediary's Appendix C status. Case Study: Failure to factor into the risk assessment the purpose and intended nature of the intermediary relationship. One firm had assessed a discretionary investment manager from an Appendix C jurisdiction as low risk and therefore concluded it could be considered as an intermediary relationship under section 9.8 of the Handbook, despite being fully aware that the underlying investors of the regulated intermediary were Russian nationals. Although this was pre-implementation of the Russian sanctions, Russia has been on Appendix I to the Handbook for some time due to its heightened bribery and corruption risks, therefore this relationship should not have been classed as low risk.

14 Good Practice: Tailored relationship risk assessments One firm’s relationship risk assessment form acted as an effective control for ensuring that all regulated intermediary requirements were adequately collected and documented. The form incorporated supporting details such as confirmation of regulatory status, authorised signatory lists and identification for signatories. Additionally, it recorded both the evidence of the regulated intermediary’s written confirmations, including date received, as well as noting the qualifying product or service, as per Handbook rule 9.53. Inclusion of senior management sign-off for regulated intermediaries further enhanced the firm’s recognition of intermediary specific risks. As further evidence of good practice, the firm identified adverse media relating to one regulated intermediary, but assessed the risk of this to be low due to the length of time that had passed, and the remediation required by regulatory action having been completed. This rationale was clearly documented within the firm’s relationship risk assessment form. Area to Consider: Risk assessments Firms should ensure that risk assessments completed for intermediary relationships take into account all relevant risk factors and that only relationships where the risk is rated as low continue to be classified as intermediary relationships as per section 9.8 of the Handbook. 2.3 Regulated intermediary written confirmations It was encouraging to note that the vast majority of the intermediary relationship files reviewed included written confirmations from the regulated intermediary that included reference to all the written requirements in section 9.8 of the Handbook. Evidence showed firms utilising their own template letters, but also accepting regulated intermediaries’ own versions, provided all requirements were covered. Only a very small number of firms reviewed operated without a template letter. In the few instances where written confirmations were missing, firms had been proactive in contacting regulated intermediaries to obtain updated versions, although some of these requests lacked a specified timeframe for receipt, leading, at times, to ongoing delays. Good practice was evident in firms that froze accounts when updated regulated intermediary written confirmations were not received, demonstrating their commitment to mitigating risks. It was also common to request a copy of the authorised signatory list for the regulated intermediary. We noted that firms on a number of occasions, particularly those which form part of groups operating on the European continent and subject to European supervisory guidance7 , required an additional confirmation that, “the intermediary will provide CDD information and documents on the underlying investors immediately upon request”. 7 EBA Guidelines dated 1 March 2021 on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships

15 We also noted that, following the implementation of Russian targeted financial sanctions, many firms had obtained an additional written confirmation that the regulated intermediary would immediately notify the firm of any sanction connection. Moreover, a number of firms required the completion of a Wolfsberg Questionnaire8 , confirmation of internal audits, details on the geographical bases of underlying investors and confirmation of investor numbers to prevent misuse as Personal Asset Holding Vehicles (“PAHVs”) (the risks of which are detailed in section 9.8.3.3 of the Handbook). The most frequent omission was written confirmation under Handbook rule 9.47(iv) that the regulated intermediary solely operates accounts for which it has ultimate control over products or services. Additionally, in respect to the investment of life company funds, Handbook rule 9.56 states that, if the account or investment has a policy identifier then the firm must require an undertaking from the life company that it is the legal and beneficial owner of the funds and that the policyholder has not been led to believe that they have rights over an account or investment in the Bailiwick. This was a requirement which a minority of firms had failed to document fully. A further breakdown of compliance with the required attestations can be found in figure 4 below. https://www.eba.europa.eu/sites/default/files/document_library/Publications/Guidelines/2021/963637/Final%20Report%20on %20Guidelines%20on%20revised%20ML%20TF%20Risk%20Factors.pdf 8 Correspondent banking due diligence questionnaire developed by the Wolfsberg Group Areas for improvement No written confirmations from the regulated intermediary evident. Accepting written confirmations or documents which do not include required Handbook confirmations. The written confirmation does not contain enough information to be able to understand the purpose and intended nature of intermediary relationship. Failing to consider that the regulated intermediary may be investing life company funds with a policy identifier, therefore failing to gain the additional written confirmation. Good Practice Requesting additional confirmations around key risk areas (e.g. sanctions, PEPs, PAHVs). Freezing accounts until written confirmations are received. Where wording in the written confirmation differs to that in the Handbook, documenting how the firm considers it meets the requirements. Requesting updated confirmations as part of the risk review process. Having the ability to request the CDD documents for the underlying investors. Collection of authorised signatory lists. Figure 4: Good practice and areas for improvement observed in relation to written confirmations from the regulated intermediary.

16 One of the most common additional confirmations to that prescribed by section 9.8 of the Handbook, was a confirmation that the regulated intermediary screened its customers and beneficial owners against applicable sanctions regimes. In some cases, firms required regulated intermediaries to provide a confirmation that any connections to sanctioned persons would be provided to the firm without delay. This is an area we would encourage firms to scrutinise carefully because, whilst the overwhelming majority of jurisdictions will apply United Nations targeted financial sanctions, they will not necessarily impose United Kingdom unilateral targeted financial sanctions’ such as those currently imposed on Russian interests. Firms should ensure that regulated intermediaries are screening against UK targeted financial sanctions and, if not, seek confirmation of the identity of the underlying customers to enable the firm to perform its own screening against UK targeted financial sanctions. Good practice: Increased outreach following the 2022 invasion of Ukraine Following Russia’s invasion of Ukraine in 2022, a firm reached out to each of its intermediary relationships to determine whether there was any exposure to Russia, Ukraine, or Belarus within the underlying customer base. Confirmation was further requested that any such relationships be assessed as high risk by the intermediary. At this point, refreshed written confirmations were sought from intermediary relationships for all required attestations per Handbook rule 9.47, as well as an additional attestation confirming that customers were screened against UN and UK sanctions lists, with the intermediary undertaking to inform the firm should any underlying customer become subject to applicable sanctions regimes. Area to Consider: Intermediary written confirmation Firms should ensure that written confirmations from the regulated intermediary meet the requirements of Handbook rule 9.47 in full and document their consideration of how the requirements are met if the wording does not fully align.

17 2.4 Compliance monitoring programme The majority of firms had a compliance monitoring programme that included testing of regulated intermediaries, with only a small portion not testing regulated intermediaries, as seen in the chart in Figure 5: Figure 5: Compliance monitoring testing of regulated intermediaries The separate tests for regulated intermediaries focused on the specific Handbook requirements relating to intermediary relationships, such as testing whether the intermediary was still a regulated business in an Appendix C jurisdiction, was rated low risk and that sufficient written confirmations had been provided by the regulated intermediary. Area to Consider: Compliance monitoring programme Firms should ensure that regulated intermediary files, policies, and procedures are tested as part of the compliance monitoring programme, with focus on the specific Handbook requirements for intermediaries. 2.5 Central securities depositories A sample of twenty-eight central securities depositories (“CSDs”) files, representing 12% of the total sample of intermediaries, were reviewed during thematic onsite visits. The most common CSDs reviewed were international CSDs such as Euroclear (including Fundsettle) and Clearstream. CSDs facilitate settlement of trades between financial services businesses, such as facilitating a regulated intermediary investing in a Bailiwick collective investment scheme either directly or on behalf of its customers. As the CSD’s customer is the regulated intermediary it does not know the identity of the regulated intermediary’s

18 customers and therefore is unable to comply with the attestations listed in Handbook rule 9.47. This can be seen in figure 6 below. However, firms have the ability to treat a CSD as a correspondent relationship. This approach has been echoed by Clearstream in its guidance on “AML and KYC for investment funds” 9 and is consistent with both FATF guidance10 and risk factors guidelines issued by the European Supervisory Authorities11 . We noted from our review that one firm had already implemented such measures. Good Practice: Correspondent relationships A firm had taken on a customer under the intermediary relationship provisions, but after review, this customer was reclassified as a correspondent relationship due to identification of a new high risk factor. To reclassify the relationship as a correspondent, a new risk assessment was undertaken, and sufficient information was gathered from the respondent institution to understand its business and to confirm its policies, procedures and controls were adequate, appropriate and effective. Once this was completed the business relationship was approved by the board. Area to Consider: Central securities depositories In order to treat the central securities depository as the customer, rather than its underlying customers, it should be reclassified as a correspondent relationship in line with section 8.6 of the Handbook. We note that both Clearstream and Euroclear provide a number of industry standard completed questionnaires on their websites to help streamline the process. 9 https://www.clearstream.com/resource/blob/1969580/28581c0345c41db7a5b973fe0f7f8fd6/aml-kyc-data.pdf 10 https://www.fatf-gafi.org/content/dam/fatf-gafi/guidance/RBA-Securities-Sector.pdf.coredownload.pdf 11 https://www.eba.europa.eu/sites/default/files/document_library/Publications/Guidelines/2021/963637/Final%20Report%20on %20Guidelines%20on%20revised%20ML%20TF%20Risk%20Factors.pdf Bailiwick FSB Bailiwick FSB Bailiwick FSB Central Securities Depository CSD Member CSD Member CSD Member Underlying Customers Figure 6: The Functions of Central Securities Depositories

19 2.6 Board risk understanding As required by the Handbook, firms must carry out and document suitable and sufficient Business Risk Assessments for ML, TF, and PF, which are specific to the firm and consider all the relevant risk factors. Encouragingly, the majority of firms reviewed had business risk assessments that included consideration of the firms’ intermediary relationships and the associated risks. Only a small proportion lacked reference to specific intermediary risk factors or did not consider regulated intermediaries altogether. This can be seen in figure 7: Individuals interviewed onsite generally demonstrated a sound understanding of intermediary relationship requirements and the associated risks. Notably, firms consistently identified a lack of knowledge of the underlying investors and reliance on the intermediary, among other factors, as key risk considerations. Good Practice: References to intermediaries in the business risk assessments The business risk assessments of a firm documented, in detail, the specific risks associated with both intermediary and correspondent relationships, including reference to the fact that the regulated intermediary may not have adequate CDD on the underlying investors, as well as the risks associated with accepting the intermediary’s own written confirmations. The total current number of the firm’s intermediary and correspondent relationships was also included as well as being expressed as a percentage of the firm’s total business relationships, providing detail on the extent of the risks. The business risk assessments then listed a range of effective controls to mitigate against these risks, referencing the firm’s policies, procedures and controls to support this. It was highlighted that the compliance monitoring programme testing of intermediary and correspondent relationships ensured the Figure 7: Do Business Risk Assessments identify the risks associated with intermediaries? Adequately identifies risks associated with intermediaries 73% Some mention of intermediaries with under-developed assessment of risk 14% No mention of intermediaries 13%

20 effectiveness of these mitigants. The business risk assessments noted that a recent review had identified further possible intermediary relationships, and that these would be added to the firm’s register. The majority of firms reviewed were supplying management information to their Boards regarding intermediary relationships, however the frequency and quality varied considerably. Good practice in the provision of management information included the reporting of intermediary relationship numbers and any changes, with accompanying details on jurisdictions and the rationale for removals from the intermediaries register. Firms also presented details of blocked and sanctioned investors within intermediary relationships, as well as findings from testing intermediary relationships under their compliance monitoring programmes. Area to Consider: Board risk understanding Firms should ensure that they carry out and document suitable and sufficient business risk assessments for ML/TF/PF, which consider all the relevant risk factors and are specific to the firm, including the risk associated with regulated intermediaries if applicable. Figure 8: Frequency of board MI for intermediary/correspondent relationships Ad-Hoc 50% Annually 13% As part of regular reporting (i.e. quarterly or more frequently) 34% Never 3%

21 Section 3: Conclusion and Next Steps We observed numerous instances of good practice, with the vast majority of firms demonstrating a clear understanding of the risks associated with regulated intermediaries and implementing appropriate measures to address them. It was reassuring to note that regulated intermediary controls are effectively embedded within the policies and procedures of Bailiwick firms, although a small minority exhibited lower proficiency in documenting these risks and their corresponding mitigants. A broad spectrum of effective practices was evident in the assessment and management of regulated intermediary risks, with a significant proportion of firms adopting appropriate measures to mitigate these risks. Nonetheless, as a result of the thematic review we did impose risk mitigation programmes on two firms, with two already being subject to risk mitigation programmes which included the intermediary relationship provisions in section 9.8 of the Handbook. Moreover, we did identify six areas for improvement which all firms that use the intermediary relationship and correspondent relationship provisions should take note of and are summarised on page 6 of the report. We are currently in the process of updating the Handbook to take account of the Moneyval recommendations. As a result of this thematic review we will also consider what additional guidance can be given in the Handbook in relation to both intermediary and correspondent relationships, taking into account not only these findings, but also what measures are applied in other international financial centres.

22 Appendix 1: Intermediary and Correspondent Relationships Flowchart Is the customer investing in their own name on behalf of one or more underlying customers, for provision of one of the services outlined in Handbook rule 9.53? Customer should not be treated as an intermediary relationship. Has the customer been risk assessed, taking into account all relevant risk factors, as low risk? Customer should not be treated as an intermediary relationship, but the correspondent relationship provisions may be used if suitable. Is the customer regulated in an Appendix C jurisdiction (or wholly owned subsidiary thereof) and is the proof of regulation held on file? Customer should not be treated as an intermediary relationship, but the correspondent relationship may be used if suitable. Has the Firm received written confirmation from the intermediary which is sufficient to meet the requirements of Handbook rule 9.47. Intermediary relationship is not compliant. If the intermediary is a life insurer with an account with a policy identifier, does the Firm have an undertaking from the intermediary to meet the requirements of Handbook rule 9.56? Intermediary relationship is not compliant. This can be treated as an intermediary relationship. Ensure that it is tested regularly as part of the compliance monitoring programme and reported as an intermediary in the Financial Crime Risk Returns. Is the customer a central securities depositary (i.e. Clearstream, Euroclear)? Customer should not be treated as an intermediary relationship, but the correspondent relationship provisions can be used. YES N/A YES NO